Description of problem: Systemd is mounting /sys/kernel/debug as 0755. We need it mounted as 0700 for security reasons.
Shouldn't the kernel defaults for anything sensitive be fixed, rather than relying on userspace workarounds?
We are not working around kernel problems in userspace, and we do not implement security by obscurity. If interfaces reachable via debugfs expose security holes this should be fixed in the kernel. If the access mode to debugfs should be made tigther, then the default for it should be changed in the kernel, and userspace shouldn't attempt to tape over it. Reassigning to kernel. Steve, please list the security holes debugfs exposes, so that they can be fixed, thank you.
There is no need to list the holes nor is this security by obscurity. Its the same thing as turning on your firewall. You can either fix the holes in all the daemons - which you will never be sure you got them all. Or turn on your firewall and be done. We simply need debugfs non-world readable. It can even be 0750 with a special non-root group if normal users need access.
the upstream kernel just changed this to be 700 by default. https://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;h=82aceae4f0d42f03d9ad7d1e90389e731153898f we're not undoing that in the Fedora kernel, so if systemd wants this changed back, argue for it on linux-kernel.